Data Processing Agreement

1. Definitions

• “Applicable Data Protection Law” means the UK GDPR, the Data Protection Act 2018, the EU GDPR (where it applies to the Customer’s processing), and any other data protection or privacy law that applies to the Customer’s processing of personal data.
• “Customer Personal Data” means personal data contained in Customer Data (as defined in the Agreement) that Chiefly processes on the Customer’s behalf.
• “Data Subject,” “personal data,” “processing,” “controller,” “processor,” “personal data breach,” and “supervisory authority” have the meanings given in Applicable Data Protection Law.
• “Sub-processor” means a third party engaged by Chiefly to process Customer Personal Data on the Customer’s behalf.
• Capitalised terms not defined in this DPA have the meanings given in the Agreement.

2. Roles and scope

2.1 The Customer is the controller of Customer Personal Data. Chiefly is the processor of Customer Personal Data. Where the Customer is itself a processor (acting on behalf of another controller), Chiefly is a sub-processor in that chain and the obligations in this DPA apply accordingly.

2.2 Chiefly processes Customer Personal Data only on the Customer’s documented instructions. The Agreement, the Platform’s settings and configuration, and this DPA together constitute the Customer’s documented instructions to Chiefly.

2.3 If Chiefly cannot comply with the Customer’s instructions for any reason — including because an instruction would breach Applicable Data Protection Law — Chiefly will notify the Customer without undue delay.

3. Description of processing

The parties acknowledge the following description of processing, which the Customer may update by notifying Chiefly through the Platform’s settings or in writing:

4. Chiefly’s obligations as processor

Chiefly will:

4.1 Process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers to a third country or international organisation, unless required to do so by law (in which case Chiefly will notify the Customer of that requirement before processing, unless the law prohibits doing so on important grounds of public interest).

4.2 Ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations.

4.3 Implement and maintain the technical and organisational security measures described in Annex 2 (Security Measures), and apply additional measures the Customer reasonably requests, subject to commercial reasonableness.

4.4 Engage Sub-processors only as set out in clause 6.

4.5 Assist the Customer, taking into account the nature of the processing and the information available to Chiefly, with:

• Responding to Data Subject requests under Articles 15–22 UK GDPR (clause 7);
• Meeting the Customer’s obligations under Articles 32–36 UK GDPR (security, breach notification, impact assessments, and prior consultation);
• Demonstrating the Customer’s compliance with Article 28 UK GDPR.

4.6 At the Customer’s choice, delete or return all Customer Personal Data after the end of the Agreement, in accordance with the data-retention provisions of the Agreement, except where retention is required by law.

4.7 Make available to the Customer all information necessary to demonstrate compliance with Article 28 UK GDPR, and allow for and contribute to audits as set out in clause 8.

5. Customer’s obligations as controller

The Customer:

5.1 Confirms that it has a lawful basis under Applicable Data Protection Law for processing Customer Personal Data through the Platform, and for instructing Chiefly to process it.

5.2 Is responsible for the accuracy, quality, and legality of Customer Personal Data, and for the means by which the Customer acquired the data.

5.3 Will comply with its own obligations under Applicable Data Protection Law as controller — including providing notices, obtaining consents where required, and managing the rights of Data Subjects.

5.4 Will not provide Chiefly with personal data the Customer does not have the right to share, including Special Category Data under Article 9 UK GDPR unless the Customer has an applicable Article 9 condition.

6. Sub-processors

6.1 General authorisation. The Customer gives Chiefly general authorisation to engage Sub-processors to process Customer Personal Data, subject to this clause 6.

6.2 Current Sub-processors. A current list of Sub-processors is published at chieflyai.com/security (the “Sub-processor List”) and is incorporated into this DPA by reference. The list is also available on request from privacy@chieflyai.com.

6.3 Change notification. Before engaging a new Sub-processor or replacing an existing one for processing of Customer Personal Data, Chiefly will:

• Update the Sub-processor List at least 30 days before the change takes effect; and
• Notify Customers who have subscribed to Sub-processor change notifications by email (Customer can subscribe at privacy@chieflyai.com).

6.4 Right to object. The Customer may object in writing to a new Sub-processor on reasonable grounds related to data protection within 30 days of notification. The parties will discuss in good faith. If the parties cannot resolve the objection, the Customer may terminate the affected portion of the Agreement (or the entire Agreement, if the Sub-processor is essential to the Platform) by written notice, and Chiefly will refund any pre-paid fees for the unused portion of the term.

6.5 Sub-processor terms. Chiefly will impose data-protection terms on each Sub-processor that are no less protective than the terms of this DPA, in writing. Chiefly remains liable to the Customer for the acts and omissions of its Sub-processors as if they were its own.

7. Data Subject requests

7.1 Chiefly will not respond to a Data Subject request relating to Customer Personal Data, except on the Customer’s instruction or as required by law. If Chiefly receives such a request directly, Chiefly will refer the Data Subject to the Customer without responding to the substance of the request.

7.2 Chiefly will provide reasonable assistance to the Customer (taking into account the nature of the processing) to enable the Customer to respond to Data Subject requests, including by providing tools through the Platform that let the Customer access, export, correct, and delete Customer Personal Data.

8. Audit rights

8.1 Information. Chiefly will provide the Customer with information reasonably necessary to demonstrate compliance with this DPA — including:

• The current Sub-processor List;
• The published security overview at /security;
• The internal Customer Security Overview, available under NDA from security@chieflyai.com;
• Any third-party certifications Chiefly holds (such as Cyber Essentials Plus, when issued).

8.2 Audit. Where the information provided under clause 8.1 is not sufficient, the Customer may request an audit of Chiefly’s compliance with this DPA, subject to the following:

• The Customer may request one audit in any 12-month period, unless an audit is required by a supervisory authority or a personal data breach has occurred.
• The Customer must give Chiefly at least 30 days’ written notice of the audit and a proposed scope.
• The audit must be conducted during normal business hours, must not unreasonably interfere with Chiefly’s operations, and must respect the confidentiality of Chiefly’s other customers.
• The Customer (or its independent auditor) must be bound by confidentiality obligations at least as protective as the Agreement.
• The Customer pays its own costs and Chiefly’s reasonable costs of supporting the audit, except where the audit reveals a material breach of this DPA — in which case Chiefly bears its own costs.

8.3 Alternative. Chiefly may satisfy a Customer’s audit request by making available a recent third-party audit report (such as a SOC 2 report or ISO 27001 certificate, when held).

9. International transfers

9.1 Chiefly is established in the UK. Customer Personal Data is primarily processed in the UK.

9.2 Where Chiefly transfers Customer Personal Data outside the UK or the European Economic Area — including to Sub-processors in countries that the UK or EU has not deemed to provide an adequate level of data protection — Chiefly will rely on a lawful transfer mechanism, including:

• An adequacy decision by the UK Government or the European Commission;
• The UK International Data Transfer Agreement (IDTA);
• The EU Standard Contractual Clauses (SCCs) with the UK Addendum;
• Any other lawful mechanism permitted by Applicable Data Protection Law.

9.3 Pre-signed transfer mechanism. Where required, Chiefly will enter into the IDTA or SCCs with the Customer at the Customer’s request. Customers requiring a signed copy should contact privacy@chieflyai.com.

9.4 Sub-processors outside the UK/EEA. Some Sub-processors listed at /security process data outside the UK/EEA. Chiefly has put appropriate transfer mechanisms in place with each.

10. Personal data breach

10.1 Chiefly will notify the Customer of any personal data breach affecting Customer Personal Data without undue delay, and in any case within 72 hours of becoming aware of it.

10.2 The notification will include, to the extent known at the time:

• A description of the nature of the breach (categories and approximate numbers of Data Subjects and records affected);
• The likely consequences of the breach;
• The measures Chiefly has taken or proposes to take to address the breach and mitigate its effects;
• Contact details for the relevant Chiefly point of contact.

10.3 Chiefly will provide the Customer with reasonable assistance to enable the Customer to meet its own breach-notification obligations under Applicable Data Protection Law.

10.4 A failure by Chiefly to detect or notify a breach within the time set out in this clause does not, on its own, constitute a breach of this DPA where Chiefly acted with reasonable diligence.

11. Deletion or return of data

11.1 On expiry or termination of the Agreement, Chiefly will delete or return Customer Personal Data in accordance with the data-retention provisions of the Agreement (clause 11.6 of the Platform Subscription Agreement).

11.2 Backups containing Customer Personal Data are purged on Chiefly’s normal backup-retention cycle and do not require active deletion.

11.3 Chiefly may retain Customer Personal Data where retention is required by Applicable Data Protection Law or another applicable law, and only for as long as that law requires.

12. Liability

The limitations and exclusions of liability set out in the Agreement (clause 14 of the Platform Subscription Agreement) apply to claims arising out of or related to this DPA. For the avoidance of doubt, this DPA does not increase or decrease either party’s liability under the Agreement.

13. Order of precedence

If there’s a conflict between this DPA and the rest of the Agreement, this DPA prevails for matters relating to the processing of Customer Personal Data. Otherwise, the Agreement prevails.

14. Changes to this DPA

Chiefly may update this DPA from time to time:

• To reflect changes in Applicable Data Protection Law (effective immediately, on notice);
• To reflect changes in Sub-processors or security measures (subject to clause 6 and the change-notice procedure of the Agreement);
• For other reasons, with at least 30 days’ notice; the Customer may object as set out in clause 6.4.

15. Notices

Notices under this DPA follow the notice mechanism in the Agreement (clause 15 of the Platform Subscription Agreement). Data-protection-specific notices may also be sent to privacy@chieflyai.com.

16. Governing law

This DPA is governed by the same law as the Agreement (England & Wales).